Competition helps inspire two teams to push further and the fans to cheer harder.

In business, as in the case of McAfee and Symantec, our rivalry means we create better products, push to stay on top, and help our partners do the same.

Head-to-Head in CRN

As you may have seen, CRN’s Head-to-Head slideshow featured McAfee and Symantec competing in the security arena around spyware protection, intrusion prevention, and overall channel profitability.

As with any good rivalry, the game is always exciting. While CRN’s consensus is that Symantec does have a strong portfolio, McAfee came out on top for Security Management Console (ePolicy Orchestrator), cutting-edge hardware-based security, and overall partner profitability.

“Show me the money” –  Keeping Partners Profitable

While industry accolades validate the work we do at McAfee–and we’re always flattered to receive them—one of the biggest success metrics for me is to see partners’ profitability increase. So we were especially thrilled to hear that partners told CRN that our channel program is more profitable and that our efforts to increase support for your businesses haven’t gone unnoticed.

And customers appreciate the results, too. For customers, we’re setting a new industry standard for time to respond. We know it can be difficult to share intelligence across different solutions and that’s an issue for customers who are dealing with threats and want to respond quickly.

Transforming Security, Together

As I wrote back in February in my post Transforming the Security Industry…Together, you can’t adequately protect customers from the volume and sophistication of today’s cyber attacks without an integrated security platform that proactively and intelligently protects. That’s why using an end-to-end McAfee solution is so key to network security for customers.

We’ve got the tools to respond to threats in real time with Real Time ePolicy Orchestrator (ePO) that queries information from all of your customer’s endpoints in seconds, leading to more intelligent analysis and quick decision making on the part of IT.

With new devices and new threats hitting networks every day, it’s our goal to work together to ensure customers’ networks stay secure through innovative products and help you stay profitable through innovative channel programs.

The result? While Symantec continues to have a strong portfolio, McAfee came out on top for its central policy management through ePolicy Orchestrator, innovation with hardware-based security technologies, and its profitable McAfee Channels program!

Here’s a quick rundown of McAfee’s top-mark capabilities:

Antivirus-Antimalware

According to CRN, McAfee’s strengths lie in McAfee SiteAdvisor Enterprise, which can be configured by administrators to block access to malicious websites. In addition, McAfee provides behavioral protection to prevent buffer overflow and zero-day attacks. We’re also working closely with Intel on new hardware-based security defenses, demonstrating “a desire to grow beyond traditional signature-based technologies to detect advanced threats.”

Security Management Console

ePolicy Orchestrator (ePO), McAfee’s core management console, provides unparalleled scalability, policy management and reporting capabilities that make it simple to get security right. In addition, Real Time for McAfee ePO collects McAfee endpoint security product status instantly, providing real-time visibility that enables organizations to quickly identify and remediate under-protected and noncompliant endpoints.

Encryption

As CRN states, “McAfee partners swear by the company’s SafeBoot foundation.” McAfee Endpoint Encryption solutions use industry-leading algorithms and offer multiple layers of data protection, allowing organizations to transparently secure a broader scope of confidential information without system performance degradation.

Channel Program

The endpoint market is projected to grow from $3.8B in 2012 to $4.88B in 2017, according to the IDC. Real Time for ePO and real time intelligence is something no other security vendor can provide, just one of McAfee’s competitive displacement endpoint security opportunities.

Channel View

Symantec partners interviewed by CRN noted that McAfee’s program is less complex and in many cases provides higher margins and is more profitable.  McAfee’s flexible SecurityAlliance program enables resellers to jump-start sales, and provides detailed training, education, and support to boost knowledge of McAfee security technology – ensuring partners meet their customers’ needs for a secure network.

The Bottom Line

#1 in endpoint protection, McAfee protects where others fail. In addition to this most recent analysis from CRN, NSS Labs ranked McAfee as the leader against day zero exploit and evasion attacks. AV Test also measured 100% protection against stealthy attacks using McAfee Deep Defender, while West Coast Labs shows McAfee Application Control provides 100% malware protection with very low system overhead.

Numbers don’t lie, and McAfee’s comprehensive, tailored solutions are proven to reduce complexity to achieve multi-layer endpoint defense that won’t impact productivity.

You can imagine that with all of these issues, companies are moving cautiously and may very well run out of ramp before XP becomes EOL. Continuing in this mode opens businesses to risk, as there will no longer be vendor-supplied patches to address vulnerabilities. As risky as an outdated operating system may be, additional risk may also come from everyday business applications. Until you are ready to change your desktop environment, McAfee suggests three basic steps to combat risk:

1. Remove Admin privilege from standard users
2. Enable memory and buffer overflow protection;
3. Enable whitelisting for 0-day vulnerability protection.

One of the key metrics many auditors look at when evaluating a compensating control is to see that the control goes above and beyond. An unsupported operating system, or even any software code, can potentially be exploited through memory and buffer manipulation. 0-day vulnerabilities are being aggressively found and used to trigger zero-day attacks, like the recent Java zero-day vulnerability that pushed out crimeware payloads to unprotected users.

Mitigate these issues by normalizing user privileges commensurate with their roles and responsibilities – for example, users should not be Admin level unless they are part of your IT organization. Continue to leverage the McAfee Host Intrusion Protection for Desktop (HIPS) for memory and buffer overflow protection. Prevent unauthorized software from executing on your systems by adding McAfee’s dynamic whitelisting capability through McAfee Application Control.

Managing risk and going beyond with these steps ensures you can address the potential vulnerabilities that may be at hand by continuing on Windows XP for a limited time.

To learn more about today’s evolving landscape of desktop security, be sure to download our whitepaper.

Businesses have been struggling with how to implement corporate computing securely for a user base that is accustomed to personal computing. I make a distinction here, because I know of several companies, CIOs, and IT managers that would like to limit their users from installing new applications and personalizing their work systems. They say these actions add overhead to security management and compliance and increase risk. However, corporate end-users now expect to have the same privileges on a work system as they do their own personal systems. The corporate compute conundrum gets even more complex when you throw in BYOD, or wearable computers in the future.

But what is puzzling is that many of these same IT leaders and decision makers lump their servers into the count of total endpoints when they consider security solutions. Many utilize their end-user security solution to secure their servers. Yet servers provide so much more to an organization. Weigh the cost of lost business if one PC became corrupted against the loss if a server became unavailable for the same time period.

We have plenty of computing choices – from user-facing systems to the infrastructure-creating cloud and datacenter services. There is no post-PC era, there’s only a multi-device, ‘right tool for the job’ era, as quoted by Ted Schadler, Forrester Research, for Forbes.com.

With its unique datacenter security solutions, McAfee secures a wide range of data center computing servers, including web servers, application servers, database servers, mail servers, and SharePoint servers. Review the results from SANS on this suite of products.

This year, McAfee will continue to simplify security and give IT the flexibility to provide the right fit for the right type of user-facing device. We will ensure that all your compute form factors will be reliably protected—and centrally managed.

It no longer matters how anyone defines a personal computer. Since corporate compute is happening on all types of personal computing devices, we are making it easy to protect all types of devices. McAfee will help you protect your business, regardless of the type of computer your business chooses to wear.

 “antivirus protection alone barely represents a speed bump to determined hackers”

Andy Greenburg, Forbes

Surprisingly, I actually wholeheartedly agree.

“Antivirus” as Andy calls it, or blacklisting as it’s commonly known in malware protection circles is a pretty simple technique – and fundamentally flawed unfortunately. I’ll break it down to show you why.

1.            Someone gets an infected email, or visits a compromised web site.

2.            The malware is new, and thus not identified by their blacklisting technology, so it installs and they get infected

3.            Somehow some time later, this comes to the attention of their blacklisting software vendor

4.            The infection gets broken down and analyzed – a unique “fingerprint” or “signature” is created

5.            This signature gets distributed out to all the other customers of the blacklisting vendor, and also the blacklisting community

6.            Now, everyone else is protected from this particular threat

Do you see the problems? Firstly of course, it requires a sacrificial sheep – yes, no blacklisting software will detect things it does not know about, so all you have to do to be a successful hacker, is create something new.

Secondly, even when your malware gets detected, there’s a significant delay before the world catches on – much like a new strain of Flu, it can affect thousands of people before anyone realizes, and then it can take days for an appropriate remedy to be put in place. Blacklisting is the same – there’s a lead time between companies like McAfee getting a sample, and us distributing the detection and cure back to our customers. It can take days after the first infection using this old method.

Thirdly, the most damming problem, is that your blacklisting software is always on the defense, it’s always reacting to things that happened in the past – Modern programming techniques mean that creating dynamic, or “Polymorphic”code  is trivial, so everyone who gets infected might be infected by a different version of the malware – can you imagine what trouble that causes a blacklisting system? Not only does everyone get what seems to be a new piece of malware, but even when you’ve analyzed it, there’s little point telling the rest of the world about it, as each malware sample will probably only be seen once.

Maybe that explains why there’s a differing opinion on how much malware exists – anything between 70 million and 150 million examples depending on who you ask.

Blacklisting is valuable as it catches the common, repeat offender malware. The stuff that’s been circulating around for months, if not years, the old examples which keep getting recycled into the field – but as a mechanism to protect you from novel, bleeding edge threats? Not a chance.

So with that said I expect you’re waiting for me to say that there’s no point renewing your subscriptions and you might as well give in now? Thankfully not – nothing could be further from the truth.

Going back to the vendors press release, there’s a key paragraph I want to point out:

Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”

There you have all my advice summed up. Blacklisting, or signature based detection is not enough – and luckily, It’s only one of the many techniques leading edge anti-malware products use to protect you.

One of the alternates, which many vendors use (though I am proud to say McAfee lead the market with) is cloud based reputation detection. We call it “File Reputation” though you may have heard it called Artemis which was our code name for the project – This is a technique where, rather than basing decisions on whether the file you downloaded in an email, or got from the web, is “known to be bad” by virtue of it being on a blacklist, we look at attributes of the file, where it came from, whether it’s signed etc, in fact around 80 different things to work out how “suspicious” we think it is, and based on that our products reach out to the McAfee cloud and start asking questions. Very quickly, in fact pretty much instantly as far as you could tell, we can determine the likelihood of anything being malicious or not, whether we’ve seen it before or not.

Better still, that “reputation” can be bolstered by looking at who else is asking questions about the same file – Malware distribution often follows predictable patterns, distribution from known bad domains, geographic peculiarities etc – all this information can be combined to make a judgment on whether your latest financial results spreadsheet which “appears” to in an email from your boss is genuine or not.

This reputation data, or “Global Threat Intelligence” as we call it, is absolutely critical and baked into pretty much every product we offer. Without GTI, you’re really not protected from novel threats. Not by half. 

My colleague Rees Johnson posted a video about McAfee’s GTI reputation engine a while ago. He gave a great example of one of our larger customers, who reported 12,000 potential virus samples to McAfee in 2011 – 7200 of which were not detected by the McAfee blacklisting engine.

We already had our cloud reputation engine in place, but that customer had not turned it on – much like it seems the NY Times were not using cloud based reputation technology from their vendor (supposition on my part of course).

As an academic exercise we turned our reputation system on, set it to the least aggressive level, and re-ran the samples.

The reputation engine, even at this most basic level immediately detected 50% more malware immediately. Turning the reputation system up to its highest level it caught it all –  100% of the samples our customer had were correctly identified.

On average the reputation engines offer protection around 127 hours in advance of the blacklists, or looking at it the other way around, 5+ days opportunity for you to  get infected without it.

If our customer had McAfee File Reputation enabled, not one of those 12,000 samples would have got through to infect their machines – they would have been 100% protected. Generally, enabling the McAfee cloud based reputation services improves the effectiveness of our products by an additional  10-30% when it comes to novel threats – even if every advanced feature of the product are enabled, there’s ALWAYS more protection.

You can imagine our customer was pretty surprised to have such power on hand, and was pretty fast to click the few buttons to enable it on all their 100,000+ machines.

“What about false positives?”- well I must confess there’s always the possibility – we average 0.0001%, or 1 in 100,000 pieces of software are misidentified. Can you live with a 1:100,000 chance of your malware protection product blocking something new? I know I can.

Let’s re-run the scenario I started with.

1.            Someone gets an infected email, or visits a compromised web site.

2.            The malware is new, and thus not identified by their blacklisting technology, so it gets checked out by the cloud reputation system

3.            It’s bad, so it gets blocked

 Game over, everyone happy, everyone safe.

And after all, “Safe Never Sleeps” is our motto.

I want to leave it here as I want to compare apples with apples, but blacklisting, and cloud reputation are not the end of the story – They are both valuable techniques to protect against threats, but still not (in my mind) the most sophisticated, nor the ones we will be using for years to come.

Alongside the simplistic blacklisting, current products have technologies which are more behavioral based – At McAfee we call it “Host Intrusion Prevention” or HIPS for short – It couples a dynamic firewall, again with global reputation knowledge, vulnerability shielding making sure malware can’t take advantages of know software flaws, and behavioral protection for commonly used attack strategies – Turning on HIPS stops malware from making changes to your systems – so again, it’s absolutely essential in preventing the novel new attacks that blacklisting is unaware of. Unfortunately, like reputation, lots of people buy this feature but never turn it on, so they really miss out on the advanced protection it offers.

Finally, I am tremendously excited by advances in whitelisting techniques – the idea of instead of trying to know about all the bad stuff, and trying to make judgment calls on unknown things, we turn that on its head and instead strive to know about the good stuff, and consider everything else bad or suspicious. You can imagine how disruptive that will be to cyber criminals who survive only because they can create new malware faster than we can identify it – all of a sudden anything new is closely watched, blocked, constrained.

Polymorphic malware would be no longer effective, “Advanced Persistent Threats” disappear, we can ignore 30 years of cumulative malware because it’s all ineffective overnight. McAfee calls this  “Application Control”, and I fully believe it’s where, as an industry, we should be moving

But in the mean time – at least turn on the advanced features of the products you bought and get the best protection you can ?

Simon.

Generic Dropper.p (XtremeRAT)

This is where, from the research side, things begin to get fun.

Automated malware analysis is nothing new to our industry. Most vendors (ourselves included) have tools to handle this internally, and assist our skilled human analysts with proper classification, documentation, and other recurring tasks that must occur with the daily barrage of new and unique malicious binaries. The bar for this threat, however, has been raised. With ValidEdge, we were able to generate enormous amounts of usable and actionable data from the execution of malware samples. We get feedback from basic static analysis, as well as from runtime data. We get all the usual system modification data, and full and complete network/communication data, and samples and memory dumps from second-level threats (dropped, created, downloaded entities). And it’s all done in a safe environment, with extremely robust reporting.

To fully illustrate, let’s focus on the Trojan that affected the Israeli police. In the McAfee universe, we detect this threat as Generic Dropper.p.

To start with, you simply submit your sample(s) to the ValidEdge appliance/host. The ways to do that vary depending on implementation. In my setup, it’s as simple as dropping the file, via FTP, on the appliance, then picking up the results set the same way (different directory on the FTP server). Easy and fast. I immediately had a set of results from my submission of the following sample:

The result sets are organized as a specific directory structure.

Analysis report sample

This is where we typically end with most tools. The exception here, from my experience, is that there is much more data generated by the appliance to start taking action on.  The way in which the information is organized is also very friendly and workable. Some basic examples follow:

Sample Data	Sample Data 2
Sample Data 3	Sample Data 4

From here we can get enough static data to build a picture of the malware and its behavior. We also have network data and full memory dumps and screenshots at our disposal should we need to dig further.

Memory dumps

PCAPs

All the secondary/dropped files are presented as well. As such, these can be easily analyzed in context.

Dropped files

Dropped files, specific to this threat, are detected via McAfee Global Threat Intelligence along with the current DATs.

Example:

Name: word.exe
MD5: 2BFE41D7FDB6F4C1E38DB4A5C3EB1211
Detection: Artemis!2BFE41D7FDB6

At this point you have plenty of information to understand what this threat is doing, how it communicates, and much more. Some would argue that deep malware analysis is an art form. But to embark on that sort of journey you need enough data to make constructive, creative, and accurate decisions. Tools like ValidEdge do exactly that.

If you would like to learn more, you can read the following sources:

• http://www.opswat.com/partners/technology-partners
• http://www.mcafee.com/us/products/network-threat-response.aspx

PC-World’s Ian Paul relays this story, and repeats Metasploit’s advice – use another browser.

That’s all well and good, but for many people I work with – they don’t have a choice as to what browser to use. A significant portion of my corporate customers for example are still using XP and IE6 – certainly within the corporate customer base there is not a high frequency of browsers other than IE – most users are either unable to install another browser, or simply don’t have a personal reason to.

On the consumer side, the situation is a little different – looking at the latest analytics from our short url service, http://mcaf.ee for example, around two thirds of visitors are using an IE variant (the majority IE 8/9), with Chrome  and Firefox splitting most of what’s left between them.

I’ll track the numbers over the next few weeks, but a landslide shift away from IE is not something I expect to see.

And why would people move? The advice, to stop using IE is only valid if you don’t have any protection from exploits – already McAfee, and most of our peers have protection and identification in place for this piece of malware, and if you’re a corporate customer using McAfee HIPS (Host Intrusion Prevention Software), you’ve had coverage since you installed the product if you’re using a couple of generic rules.

A zero-day exploit which you’ve been protected from, potentially for years.

I’m not saying that this virus is not serious, but, is it more serious than any of the 70,000 or so that we discover any particular day?

Every day we could announce “stop using this version of Oracle, or this version of Flash, or this version of Angry Birds” (examples of course) – zero days are discovered regularly, mostly in applications – what makes the world safe(er) is that most malware protection solutions don’t just rely on signatures, they rely on behavior, rules, and cloud based knowledge, so even though you’re using IE, no one can exploit the defect because your anti-malware product is shielding that defect from exploitation.

We’ve heard this news all before – back in January 2010, Steven Vaughan-Nichols of IT-World accused IE of being “an insecure mess”, and further condemns Microsoft with “Windows has been, is now, and always will be insecure” – despite all the evidence pointing to apps, rather than OS’s being the general weak point in todays computing platforms.

And, by October 2010 of course, one of the recommended alternates – Firefox, had also been compromised – what to do? Switch back to IE, or keep changing to something new…

What I say is, changing your browser would be great, but it’s not a permanent fix – cybercriminals will always focus on the most popular computing environments, because that’s where the biggest potential return is, and unless we want to regress to the mosaic days, the complexity that we users demand of modern technology is not going to make bugs disappear, despite our best intentions as programmers.

Changing software every time a threat is discovered, especially when vendors are so quick to react to fix issues, seems a little impractical.

We see this type of attack over and over. Most recently LinkedIn and eHarmony were in the news with similar issues. This Yahoo breach is just the latest in a series of similar attacks that occur in multiples every day.

The attack was launched by the D33DS Co., whose release included this:

D33DS is probably correct in that latter sentence. But are their methods and motivation ethical or legal? That’s a different story. Regardless, Yahoo’s overlooking basic countermeasures against basic attacks (such as SQL injection) cannot be excused.

This is not the first time that Yahoo has been compromised in this way. During the last five years, Yahoo Local Neighbors, Yahoo Kids, Yahoo Classifieds, and others have been successfully targeted.
Ironically, there is a blog on SQL-injection prevention on Yahoo Voices. It was posted in 2009.

What else is interesting about the latest breach?

More than just @yahoo.com usernames and accounts were exposed. If there was ever a time to heed warnings about password reuse, especially across public and high-traffic social systems, this is it. Yahoo may have been the focus of this attack, but data in the dump could be used to target specific users from AOL, Microsoft, Google, Comcast, SBC Global, and others.

Here is a breakdown of associated domains that appear in the D33Ds release:

Yahoo breach Top 20 domains

I’ll leave you with several McAfee resources for understanding SQL injection:

• WebSec 101 – SQL Injection. http://www.mcafee.com/us/resources/audio/transcripts/websec101-sqlinjection-slides.pdf
• McAfee Security Scanner for Databases. http://www.mcafee.com/us/products/security-scanner-for-databases.aspx
• Threat Brief – LizaMoon. http://www.mcafee.com/us/resources/solution-briefs/sb-lizamoon-sql-injection.pdf
• White paper on Real-time Database Monitoring, Auditing, and Intrusion Prevention.  http://www.mcafee.com/us/resources/white-papers/wp-real-time-database-monitoring.pdf

Since High Roller appears to be introduced via a malicious website or social engineering attack, McAfee SiteAdvisor Enterprise and McAfee Web Gateway can prevent users from accessing malicious host sites.  McAfee Host Intrusion Prevention (HIPS) can block drive-by vulnerability exploits, preventing the malware from running for the first time on a target machine. McAfee Application Control can prevent any unknown or unapproved application from being installed or allowed to run.  McAfee VirusScan Enterprise protects the machine from any known variants. McAfee Deep Defender will block the vast majority of kernel mode rootkits that High Roller variants may contain, day zero, with no need to update any signatures. Additionally, both McAfee VirusScan Enterprise and McAfee Host Intrusion Prevention prevent registry modifications and other configuration changes. And finally the McAfee Desktop Firewall can block outbound command and control communication to sites deemed malicious by McAfee Global Threat Intelligence technology.

Read the full report on Operation High Roller here:

http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf

For more on the four phases of every attack, please see my blog:

http://blogs.mcafee.com/enterprise/the-four-phases-of-every-attack

And more detail about protecting yourself against the 4 phases of every attack is here:

http://blogs.mcafee.com/enterprise/how-todays-new-generation-of-security-products-protect-you-in-each-of-the-4-phases-of-every-attack

More on High Roller as it comes out.

Be SAFE!

In phase one, effective tools are those that limit or block first contact with a victim. These include host or network based web filtering products for the majority of today’s threats. For protection against physical compromise, such as with APTs, device control is needed. Host based NAC products can ensure that only ‘healthy’ endpoints are allowed to connect to a network. Even host based firewalls can protect against misconfigured network security or unsecured internet connections like roaming users might find.

In phase two, the job gets harder, especially when trying to stop previously unknown threats from exploiting new or recent vulnerabilities. Typical here is some type of buffer overflow attack which requires some type of memory protection or system call interception techniques to watch for buffer overflow attack. What is also required is scanning memory and network traffic upon access, sometimes called on-access scanning. Relatively new are file whitelisting or application control products, which use a ‘deny by default’ approach so that only known files or applications can be installed.

In phase three, traditional AV has played the strongest role by scanning the disk for known malicious files. This method has the advantage of being very deterministic in detecting and cleaning all areas of the file and operating system, but remediation costs are higher. New technologies like McAfee Deep Defender protect attacks prior to the OS loading, providing new protections for this critical threat. Uses McAfee DeepSAFE technology to operate beyond the OS and the first solution to provide real-time kernel memory protection to stop zero-day threats before they have chance to hide. What is interesting about these four phases is that various security technologies usually have a narrow role to play in disrupting malware. It also shows that traditional Antivirus techniques stop malware very late in the infection process, usually after software has been written to disk. 

In phase four, change control techniques like Whitelisting and access protection rules can prevent malicious software from changing known good application files, preventing the execution of many activities. Also hosts based firewalls can prevent connections to known malicious bot networks and limit the loss of sensitive data.